Ian G wrote: > Coupled with the emphasis on "the search for the > revenue stream" and a bunch of crypto venders who > thought their time had come, the scene was set for a > very big approach to this threat. They didn't adopt > the original threat model, but picked up a military- > inspired threat model - the MITM - which came from > the best of crypto experience, going back through > centuries of warmaking.
As far as I know it was Netscape that invented SSL. They picked a scheme that was provably secure (from math point of view), which was good. And comparing SSH and SSL is not totally fair - usage differs. It is much more of an incentive for a criminal to intercept first SSH connection to a bank (supposing SSL was not invented) than to random hosts out there. And there are much more connections to a bank than there are SSH login attempts to a host. > It also made severe demands on the users and the > browsers. Now, what the users discovered and the > browser GUI people also discovered was that there > was no threat. There was no-one listening to credit > cards, at least. (Recall, online banking and thus a > need to protect passwords did not turn up until later.) One of the reasons why there is (seemingly) no threat because SSL is so pervasive, and it takes a lot of effort to break SSL. > So users did the logical thing - they ignored the > security. No threat, so no point in doing anything I wouldn't say so. People do think about security to some extent, but many are checking the wrong things, or they ignore the warnings they get. Ignoring warnings can be due to various reasons, only one of which is people consciously ignoring security. Others include badly configured websites that require users to ignore the warnings, or users really wanting to use the service even though it may be against their best interest, and not understanding the implications of the warnings. > but the minimum necessary. What browser manufacturers > did was the logical thing - they reduced the security > component on the chrome over time until it had all > but disappeared. No threat, so no point in it being > there. Are you inventing history here? I don't remember what the early browser's looked like, but was there really more security in the early days? -- Heikki Toivonen _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
